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SUMMARY 

The B-52 SAS (Stability Augmentation System) was developed and retrofitted 
to nearly 300 aircraft. It actively controls B-52 structural bending, provides 
improved yaw and pitch damping through sensors and electronic control channels, 
and puts complete reliance on hydraulic control power for rudder and elevators. 
The system has now experienced over 300,000 flight hours and has exhibited ser- 
vice reliability comparable to the results of the reliability test program. 
Development experience points out numerous lessons with potential application in 
the mechanization and development of advanced technology control systems of high 
reliability. 


j INTRODUCTION 

i 

The B-52 SAS (Stability Augmentation System) was developed and retrofitted 
on nearly 300 aircraft in order to achieve the following objectives: 


a. Minimize fatigue damage due to structure deflection in turbulence. 

b. Improve capability of withstanding extremely high velocity gusts. 

c. Improve yaw and pitch damping 

d. Increase rudder and elevator authority. 

e. Improve crew ride. 

It was necessary to place unusual emphasis on system reliability, for two 
principal reasons: 

a. On the yaw and pitch axes, replacement of the original mechanical 
(servo tab) system by a hydraulic actuator system introduces the 
possibility of total loss of rudder and elevator control in flight due 

to hydraulic failures. 

b. The use of an electronic system with relatively high rudder and elevator 
authority introduces the possibility of sudden unscheduled displacements 
or **hardovers*’ of the control surfaces due to electrical faults, with 
obvious flight safety implications. 
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REDUNDANCY MANAGEMENT 

Figure 1 Is a simplified schematic diagram of the SAS . Yaw damping and 
elastic mode suppression signals are generated by combining rate gyro outputs 
with lateral accelerometer outputs, and the gains are scheduled according to air- 
speed (high gain at low airspeed and vice versa) . For the pitch axis, only rate 
gyro signals are used; the gain is fixed and independent of airspeed. There are 
two essentially independent hydraulic power supplies, each having a main pump and 
an emergency pump. The main pumps are electrically powered; the emergency pumps 
are simply hydraulic transformers (motor-pump packages), driven by separate 
existing utility hydraulic systems and provided with flow limiters to avoid 
crippling the utility systems in the event of loss of fluid from a SAS system. 

The control surface actuators are of tandem type, normally powered by both 
hydraulic supplies . 

The system is basically FO-FS (fail operational on first failure, fail soft 
on second), with the following exceptions: 

a. If two lateral accelerometer channels fail, all three accelerometer 
channels drop out, while the yaw axis continues to operate on the yaw 
rate gyro signals only. 

b. If two gain scheduling channels fail, all three channels revert to a low 
gain that is safe at all airspeeds. 

These two features provide a substantial decrease in the number of two-failure 
combinations that can cause yaw axis disengagement or loss of function. 

The basic redundancy management concept is relatively straightforward. At 
various points in the three-channel sensor-electronics subsystem, voters and 
comparators are used, as shown on Figure 2. For example, the three inputs at the 
left of the diagram may represent three rate gyro outputs, while the three out- 
puts at the right may represent three channels of an electronic control unit. 

If any input disagrees with the median signal by more than the preselected error 
threshold, the comparator trips and latches itself in the tripped mode. In this 
mode, the comparator swamps the discrepant input so that it will not be selected 
by any voter as a median signal. In some cases the swamping signal is a hard- 
over; in other cases, it is a 400 Hz square wave. Also, the comparator shuts off 
its normal "O.K.” signal to the logic circuitry, thus preparing the logic to take 
proper action in the event of a subsequent second failure. On the yaw axis, the 
failure of one channel also sends a ^channel failed" signal to the pilot, warning 
him that redundancy has been lost and that yaw damping will be automatically 
disengaged in the event of a second similar failure. Loss of yaw damping is not 
a highly critical failure mode, but it poses a slight threat to flight safety by 
requiring manual damping of Dutch roll, which may be difficult with certain ad- 
verse combinations of high gross weight, high altitude, poor visibility, and 
turbulence. No such warning to the pilot is required for single channel failures 
in accelerometer, gain scheduling, or pitch axis channels, as these pose no 
threat to flight safety and require no special crew action. 
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FLIGHT SAFETY RELIABILITY 


In early discussions. Air Force representatives expressed a clear desire to 
state the system reliability objective in terms of aircraft loss rate. This 
required analysis in considerably greater depth than ordinary reliability calcu- 
lations for a redundant system. It was necessary to: 

a. Define each potentially critical failure mode of the system in terms of 
the effect on control surface motions. 

b. Compute the probabilities of occurrence separately for each of these 
modes during each phase of a standardized mission profile. . 

c. Compute the probability of aircraft loss for each mode in a variety of 
flight conditions (altitude, airspeed, and presence of nearby aircraft 
such as in aerial refueling) with proper allowance for probabilities of 
various turbulence intensities and visibility conditions. 

d. Combine the above to obtain a total predicted B-52 loss rate attribu- 
table to SAS failure. 


CRITICALITIES 

During the prototype program, hundreds of SAS failures were simulated in 
piloted flight simulators and the resulting aircraft motions were recorded. Five 
or more different pilots were used for each combination of SAS failure mode and 
flight condition. After each simulation, the pilot was asked to estimate the 
percentage of SAC pilots that would have been unable to avoid loss of the air- 
craft. The results were averaged to arrive at a probability of aircraft loss for 
each combination. These results were combined with the probabilities of given 
turbulence conditions, visibility conditions, and autopilot status to yield a 
criticality matrix suitable for use in the aircraft loss prediction program. 
Criticality, as used here, is defined as the probability of aircraft loss IT the 
given system failure mode occurs during given flight conditions. 

In the past, there has been a widespread tendency to treat criticality as a 
dichotomy. To label a failure mode as ’Vcritical*’ meant that it would invariably 
cause loss of the aircraft, and to label it as ”non-critical” meant that it 
would never cause loss of aircraft. In other words, criticality was assigned 
only two possible values: zero and 100 percent. It is true, of course, that many 
failure modes have criticalities of zero, and some failure modes, such as gross 
failure of a primary structure, have criticalities of 100 percent. But in any 
attempt to make a realistic prediction of the flight safety reliability of a 
control system, it must be recognized that many of the failure modes will have 
intermediate criticalities. They may approach 100 percent with unfavorable 
combinations of flight conditions, and may be essentially zero with favorable 
combinations of flight conditions. 

The probability of occurrence of each potentially critical system failure 
nio4e during each phase of the mission was computed using conventional methods, 
but^with certain refinements as subsequently discussed. These probabilities of 
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occurrence were compiled into a failure mode occurrence probability matrix. 

Figure 3 is a simplified diagram showing the principal factors entering into the 
construction of these two matrices. The two matrices are constructed and 
combined in a computer program to predict aircraft losses. 

In many cases it was found that the criticality of a given system failure 
mode was not necessarily determined by the mission phase or flight conditions in 
which the failure occurred, but by subsequent conditions. Many failure modes 
are relatively noncritical in high altitude cruise, for instance, but leave the 
system in a degraded state that may have a much greater criticality in subsequent 
mission phases such as low level penetration or landing. Since high altitude 
cruise accounts for a large portion of the mission duration, most of the failures 
will tend to occur during cruise, but many of the resulting aircraft losses will 
occur during a subsequent mission phase. For other failure modes, the surprise 
factor is predominant; the probability of aircraft loss is chiefly dependent on 
the pilot’s skill and corrective actions immediately after the failure. These 
considerations were taken into account in the computerized program. 


BITE 

The system includes BITE (Built-In Test Equipment) which serves two main 
purposes: 


a. It permits a quick preflight checkout to determine, as far as 
practicable, that all components in all channels are unfailed before 
takeoff . 

b. It facilitates diagnosis by identifying the failed LRU. 

Neither of the above BITE functions is achieved with 100 percent certainty. 

A careful analysis was made to determine which failure modes of which components 
could not be detected by BITE or by any feasible preflight check. For each such 
’’hidden” failure mode, suitable ground check intervals were established. Where- 
ever a hidden mode, in combination with other component failure modes, could 
produce a potentially critical system failure mode, the computation of the 
probability of system failure mode occurrence was based on the established ground 
check interval and not merely the time since takeoff. This makes a significant 
difference in the probability of a given two-failure or three-failure combina- 
tion, as compared to the conventional method of computing redundant system 
reliability, which is based on the implicit assumption that all parts are 
unfailed at takeoff. 


SNEAK FAILURE MODES 

In addition to this ’’hidden” failure mode problem, we also encountered 
several ’’sneak” failure modes. A sneak failure mode may be roughly defined as 
one which produces unexpected effects that tend to negate part of the redundancy. 
Such modes exist chiefly because of inadequate FMEA (Failure Mode and Effect 
Analysis) . For example, the voters used in the -prototype design contained two 
sneak failure modes. In one of them, a single voter fault would produce a 
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hardover signal on all three channels simultaneously. In the other, a single 
voter fault would cause a single hardover originating upstream to be propagated 
downstream on all three channels. These problems were corrected in the produc- 
tion design. 

Another fertile field in which sneak failure modes typically abound is in 
the area of electronic module power supplies. Naturally, the three-channel 
redundant configuration of the electronics and sensors employed separate power 
supply modules to power the electronics on each channel. Here again sneak 
failure modes were found. For example, one power supply module failure could 
disable a channel and at the same time prevent the logic circuitry from taking 
proper action. Such modes were **designed out" wherever they appeared. ^ 


FAILURE MODE AND EFFECT ANALYSIS 

As might be suspected from the above remarks, the task of analyzing failure 
modes and their effects was of paramount importance in making a realistic flight 
safety reliability analysis for the SAS. The FMEA is a traditional task that is 
usually called for in reliability programs, but the output, in many cases, is of 
little value in realistic computation of the reliability of a redundant system. 
Among the typical shortcomings are: 

a. Excessive emphasis on what fails rather than how it fails; insufficient 
recognition of failure modes other than open circuit and short circuit. 

b. Inadequate definition of effects on the system; use of catch-all phrases 
such as "loss or degradation of output"; phrases such as "Loss of 15 VDC 
power'^ without any attempt to describe what happens to the system when 
the 15 VDC power is lost. 

c. Endless repetition of the obvious and neglect of the nonobvious. 

d. Failure to explain the functioning of the system or assembly and its 
components so that the FMEA will be meaningful to personnel not highly 
familiar with the design. 

e. Inadequate explanation of redundancies, where applicable; failure to 
recognize that while two assemblies may be in parallel with respect to 
the more common or obvious failure modes, they may be effectively in 
series with respect to less obvious failure modes . 

Although formal FMEA reports at the assembly level were generated in the 
SAS reliability program, there was no attempt to compile a system-level FMEA in 
the usual format which is not well suited for delineating the effects of 
redundancies-. Instead, the FMEA was effectively combined with the quantitative 
flight safety reliability analysis as illustrated by Figures 4 and 5. These 

figures represent two of the system failure modes. The notations f/Q, f^n^ etc. 

4 V / U 

represent hourly failure rates of the various subassemblies in the applicable 
subassembly failure modes. In other words, they represent blocks on a series- 
parallel block diagram or a fault tree. Each critical system failure mode has a 
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separate diagram or a separate branch on a fault tree, with blocks representing 
only those failure modes of subassemblies or components that contribute to the 
given critical system failure mode. Notations such as h^p §67’ are the 

applicable mode failure rates of subassemblies in an off-line or standby status. 
W represents the probability of icing conditions that would incapacitate a pitot 
head with a failed heater. The symbol H refers to J:he 300-hour periodic check 
for pitot system leakage, which is the failure mode denoted by The 

notations and T 2 refer to time since takeoff; for example, if a mission phase 
starts 5.52 hours after takeoff and ends 7.52 hours after takeoff, = 5.52 and 
T 2 = 1 . 52 . Insofar as potentially critical modes are concerned, the FMEA is thus 

represented by a collection of critical system, failure mode formulations similar 
to Figures 4 and 5. We have attempted the task of modifying the usual FMEA 
format to make it useful in redundant system analysis, but are not satisfied 
with results to date. 


Many component failure modes were simulated in laboratory tests, in order to 
evaluate failure mode effects that were not clearly predictable. 


BLOCK DIAGRAMS AND FAULT TREES 

Series-parallel block diagrams and fault trees are sometimes thought of as 
two different techniques for redundant system reliability analysis, although 
when properly used they convey identical information. The chief differences 
between these two approaches, as traditionally used, are: 


a. Blocks on the fault tree generally represent events or specific failure 
modes of components, while blocks on the series-parallel diagram have 
sometimes been used to represent the total failure rates of components. 

b- The fault tree is generally constructed beginning at the top or system 
level and working down to the detail or functional module level; with 
the block diagram, there is a tendency to start at the component 
level and work up to the system level. 

In the B-52 SAS analysis, we used two teams, one starting at the top and working 
down, and the other starting at the bottom and working upward. Comparison of 
the results provided a useful cross-check and helped to minimize the chance of 
overlooking critical combinations. As long as the blocks represent specific 
failure modes of the modules or components, there is no significant difference 
between the two diagramming techniques, and the choice between them is reduced 
to a matter of personal preference. 


RELIABILITY TESTS 

The reliability programs for both the prototype and production contracts 
included extensive system reliability testing in general accordance with 
MIL-STD-781. Ordinarily, system reliability tests are conducted primarily for 
the purpose of MTBF measurement or verification of compliance with MTBF 
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requirements. For the SAS, the system tests were regarded primarily as oppor- 
tunities for failure cause analysis in order that corrective actions could be 
initiated at the earliest possible date. It is almost axlomatiG in the industry 
that the first MTBF test will show an MTBF of about one tenth of the predicted 
value. (Maybe we were just lucky; our first prototype MTBF test on the SAS 
indicated an MTBF of about one fourth of the prediction, instead of one tenth.) 
Most of the failures in the MTBF tests, as well as in the flight test program 
and operational mockup (”Iron Bird”) tests, showed clear causes in a careful 
failure analysis, and corrective actions were initiated for the subsequent 
production articles . 

MTBF testing under the production contract was divided into four phases: 

Phase A consisted of about 1800 hours of operation on an incomplete system - 

partly with prototype hardware and partly with early production (unquali- 

fied) hardware. 

Phase B involved 2000 hours of operation on early production hardware. 

Phases C and D involved 515 hours each, using fully qualified production 
hardware. 

The purposes of Phases A and B was to determine where reliability improve- 
ments were needed, at the earliest practicable date. The purpose of Phases C 
and D was to demonstrate attainment of the required MTBF. 

The reliability test environments, both prototype and production, included 
cold soaks and operation at ambient temperatures up to 71^C (160^F). Initially, 
the prototype test included periods of applied vibration at 33 Hz and 2g 
amplitude. Vibration attempts were finally abandoned for the following reasons: 

a. This low frequency was not found to produce any significant effects on 
equipment failure rates. 

b. This type of vibration bears practically no relation to the vibration 
encountered in jet aircraft. 

c. Any significant increase in frequency would require a totally new test 
setup. The supporting jig was marginal even at 33 Hz. 


EFFECTS OF WEAROUT 

It is widely assumed that scheduled replacements in service will avoid the 
occurrence of normal wearout failures. MTBF is consequently often considered as 
a function of random failure rates only; and since MTBF is customarily demon- 
strated by tests that typically operate each specimen lor 500 hours or less, 
normal wearout is seldom significant in MTBF demonstrations. As a result, we 
see so-called MTBF values of 10,000 or even 50,000 hours quoted for mechanical 
and hydraulic equipment items, based only on their ’'random” failure rates under 
the assumption that scheduled replacement will avoid normal wearout problems. 
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MTBF In service,, however, is a distinctly different problem. Scheduled 
replacements are seldom specified or practiced except where there is a clear-cut 
safety implication. As a result, the effective MTBF on such equipment is often 
far less than a pure ^random failure** consideration would Indicate. 


SERVICE EXPERIENCE 

For this reason, we kept two sets of books on the SAS MTBF — one set 
based on random failure rates only, and the other including estimated normal 
wearout effects. Table I shows the resulting difference in predicted system 
MTBF, and also shows the failure experience in service for calendar years 1972 
and 1973. The following conclusions may be noted from this table: 


a. The hydraulics subsystem shows a distinct rise in failure rates from 
1972 to 1973. The 1973 rates agree closely with the prediction that 
includes wearout effects. 

b. The sensor-electroniGs subsystem shows a decrease in failure rates 
from 1972 to 1973, in spite of expected wearout effects in the six 
gyros. This indicates a mixture of 'two different kinds of apparent 
infant mortality effects: 

(1) The usual infant mortality experienced in electronic equipment, 
in spite of burn-in prior to delivery. 

(2) An improvement in the maintenance organizations* familiarity with 
the equipment, resulting in better repairs and fewer unnecessary 
replacements . 

c. Field experience on the system as a whole agrees closely with the 
prediction that included estimated effects of normal wearout. 

The last two columns at the right of Table I are based on detailed analysis 
of two field data samples which both indicated that about one third of the 
reported electronic failures might be attributed to trial-and-error trouble- 
shooting or other diagnostic errors. This situation is believed to be improv- 
ing with time and experience gained in the field. 

Table II shows the various types of mission reliabilities experienced in 
service in the 1972-1973 period. There were no corresponding quantitative 
requirements or predictions. 

Table III shows the SAS flight safety reliability requirements and pre- 
dictions. The predictions were calculated both with and without normal wearout 
effects. There have been no losses to date attributable to the SAS. There 
were several early occasions of loss of one hydraulic power supply in service, 
due to fatigue failures of main pump rigid discharge lines which happened to be 
in resonance with the pump pulsation frequency. Actually, a similar failure 
had previously occurred in system reliability testing, but no importance was 
attached to it, since the test chamber space limitations required the use of 
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plumbing configurations somewhat different from those of the aircraft. The 
lesson learned from this experience is that every effort should be made to use 
aircraft plumbing configurations in system reliability tests, particularly where 
there are conceivable resonance or fatigue problems. 

The system MTBF tests indicated surprisingly low reliability for certain 
simple widely used standard or semistandard hydraulic components such as accum- 
ulators and pressure switches. Although corrective actions were initiated, the> 
field reliability experience on these components is still disapp'ointing. 

CONCLUDING REMARKS 

The next few years will see extensive development of electronic-hydraulic 
flight control systems of fly-by-wire and controls-conf igured-vehicle types, 
performing highly essential functions and with extremely high reliability 
requirements. The B-52 SAS program has provided useful experience for the 
development of such systems, and has demonstrated the need for close attention 
to the following considerations: 

• Optimization of redundancy management. 

• Meaningful Failure Mode/Effects analyses with particular emphasis on 
effects of redundancy and redundancy management and on early detection 
of possible sneak failure modes. References 1, 2, and 3 all provide 
useful guides for failure mode effect analysis. 

• Laboratory simulation of failure modes to verify effects and serve as 
an added guard against sneak failure mode effects. 

• Piloted simulator programs to measure pilot reaction to failure modes 
where applicable, under various visibility and turbulence conditions. 

• Adequate consideration of wearout effects in mechanical/hydraulic 
components . 

• Quantification of system failure mode criticalities to permit better 
allocation of effort and redundancy. 

• Adequate BITE to avoid takeoff with possible hidden failure modes. 

• Suitable periodic checks for detection of possible hidden failure modes 
not feasibly detectable by BITE. 

• Proper reflection of periodic check interval in reliability predictions, 
for modes not detected by BITE. 

• Adequate BITE fault isolation capability to facilitate proper system 
repair. 

• Definition of reliability requireraents for supplier-designed components 
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in terms of failure mode effects and redundancy management as well as 
the customary MTBF requirements. 


• Establishment of schedule that permits adequate reliability testing to 
find areas for reliability improvement at earliest possible time before 
final design freeze. 

• Vigorous failure analysis and reliability corrective action program, 
not only in reliability tests but also in other test areas (qualifica-" 
tion, iron bird, flight tests, etc.) 
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Figure 1. - B-52 SAS Diagram. 
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Figure 2. - Typical Voter-Comparator Diagram. 
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AUTOPI LOT 
STATUS 


Figure 3. - Matrices and Loss Predictions 
















MODE 25. MOMENTARY RUDDER HARDOVER TO SAS AUTHORITY LIMIT OR LESS, GUT OFF BY PROMPT COMPARATOR 
TRIP PRODUCING LOSS OF YAW DAMPING. 

CONDITIONS PRODUCING MODE 25 ARE: 


ITEM 

(1) OPEN LOOPS ON BOTH SERVO CHANNELS (EITHER SEQUENCE) 

(2) FAILURE OF NO. 1 SERVO CHANNEL (ANY SOURCE OF 
COMPARATOR TRIP OTHER THAN OPEN LOOP), FOLLOWED 
BY OPEN LOOP ON NO. 2 SERVO CHANNEL 

(3) FAILURE OF NO. 2 SERVO CHANNEL (ANY SOURCE OF 
COMPARATOR TRIP OTHER THAN OPEN LOOP), FOLLOWED BY 
OPEN LOOP ON NO. 1 SERVO CHANNEL 


PROBABILITY 

't^49 ^70 ^87^ *^71 % 7 * ^^2^ ~ 

(1/2) (f2s + f40 + ^45 ^47 ^fgo + ^66 

■‘■^88 ^89^ ^71 * ^ 7 ) f^2^ 1 

(1/2) (f28 + 144 + f46 + ^48 +^60 '^ 967 969 ^86 ^ 

+ f 89 ) (f49 + ^70 + ^87^ 2^ ~ ^1^) 


P 25 = PROBABILITY OF OCCURENCE OF MODE 25 BETWEEN T| AND T 2 

= [{^49'^^70'^%7} {^50 ■^*’71 ■^^87'^ <^28 ^44 ^46 ^48 ^60 

+ 967 969 %6 ^88 ^89^} (128 ^40 ^45 U7 2f6Q + 166 

+%8 2186 ^89^ ^71 ^87>] C^2^-'’'l^] 


Figure 4 
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MODE 33: SUSTAINED RUDDER OSCILLATION (FLUTTER) AT AIRSPEED ABOVE 300 KNOTS EAS, DUE TO 

EXCESSIVE YAW SAS GAIN. 

CONDITIONS PRODUCING MODE 33 ARE; 

ITEM PROBABILITY 

(1 ) LOSS OF PITOT PRESSURE : 

(la) FAILURE OF BOTH PITOT HEATERS, MULTIPLIED Hqq)^ W) {J2^ ~ T-i^) 

BY PROBABILITY OF MODERATE TO SEVERE ICING 

CONDITIONS 

* 

(lb) FAI LURE OF EITHER PITOT HEATER (MULTIPLIED 2W(f8o) (fsi) (300/2) T 2 - T^ ) 

BY PROBABILITY OF ICING), AND LARGE LEAK IN 

OPPOSITE PITOT LINE 

(lc) LARGE LEAKS ON BOTH PITOT LINES (fgi {300) (T 2 - T^ ) 

(l d) SINGLE FAILURE IN PITOT MANIFOLD VALVE, PSU f82 (Tz - T-, ) 

MANIFOLD OR INTERCONN EGTING HOSE 

(2) DEGRADATION OF PSD GAIN IN YAW SERVO POSITION fgs (T 2 - T^ ) 

FEEDBACK LOOP 

(3) STUCK SOLENOID VALVE ON NO. 1 YAW SERVO, COMBINED (fgo) (f40+%0'^^86'^f88+f89) (''' 2 ^ “ 

WITH ANY TRIP OF NO. 1 SERVO COMPARATOR WHICH LEAVES 

SENSOR COMMAND APPLIED TO SERVO 

P 33 = PROBABILITY OF OCCURRENCE OF MODE 33 BETWEEN T^ AND T 2 

^ -It 

= (f80)^(W)(T2^ - Ti^) + W(fgo){f 8 l) (300)(T2 - T^) + (fgi)2 (300) (T 2 - T^) + fg 2 (T 2 - T,) 

^83^^2 “ ^ 1 > ^^40 ^60 (86 ^88 (89^ (Tz^-T-j^) 

*H = 300 HOURS FOR fg^ 


Figure 5 



TABLE I 


MTBF COMPARISONS 



FAILURES PER THOUSAND FLIGHT HOURS 



PREDICTIONS 
BASED ON 
TEST EXPERIENCE 

AFM-66-1 SERVICE DATA 

ITEIVI 

COUNTING ALL 
REPORTED 

COUNTING 2/3 
OF REPORTED 


NO 

WEAROUT 

WITH 

WEAROUT 

ELECTRONIC 

FAILURES 

ELECTRONIC 

FAILURES 


1972 

1973 


1973 

S^NSOR/ELECTRONICS 

SUBSYSTEM 

5.077 

7.459 

9.756 

8.705 

6.504 

5.803 

HYDRAULICS 

2.553 

7.271 

5.306 

7.564 

5.306 

7.564 

MISCELLANEOUS 

1.697 

1.697 

0.601 

0.857 

0.601 

0.857 

SYSTEM 

9.327 

16.427 

15.663 

17.126 

12.411 

14.224 

MTBF, HOURS 

107 

61 

64 

58 

81 

70 

M+BF GOAL 

100 


— 

— 

— 























TABLE II 


SAS MISSION RELIABILITY COMPARISONS 


BASIS: SAC AIR VEHICLE PERFORMANCE REPORTS, 1972 AND 1973 


ITEM 

RELIABILITY 

FLIGHT RELIABILITY: 


PROBABILITY OF NO FLIGHT ABORT DUE TO SAS 

99.96% 

PROBABILITY OF NO SAS FLIGHT ABORT OR MAJOR 
DEGRADATION* IN FLIGHT 

99,58% 

DISPATCH RELIABILITY: 


PROBABILITY OF NO LATE TAKEOFF OR CANCELLATION 
DUE TO SAS 

99.73% 

COMBINED RELIABILITY: 


PROBABILITY OF NO SAS FLIGHT ABORT, MAJOR 
DEGRADATION, LATE TAKEOFF, OR CANCELLATION 

99,31% 


t 

^INCLUDES LOSS OF PRESSURE FROM ANY OF THE FOUR PUMPS. 
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TABLE III 

SAS FLIGHT SAFETY RELIABILITY 



FLIGHT SAFETY 
RELIABILITY 

AIRCRAFT LOSS RATE DUE 
TO SAS, PER 10® FLIGHTS 

GOAL 

99.999182% 

8.18 

PREDICTION (NO WEAROUt) 

99.999798% 

2.02 

PREDICTION (WITH WEAROUT) 

99.999508% 

4.92 

EXPERIENCE TO DATE 

NO LOSSES 

NO LOSSES 
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